Originally Posted by No Jitter – via nojitter.com – October 23, 2020

Tracking and analyzing costs associated with incident responses and training is a crucial step to IT security expense management.

When it comes to cyberattacks, there are the obvious cost to consider, and then there are less obvious expenses. The least expensive approach is to prevent cyberattacks from happening in the first place, circumventing the need to repair network damage in the first place. However, when enterprises create their cybersecurity budgets, they can miss critical items, which can produce significant financial risk. So, investing intelligently in cybersecurity should be a top priority for any IT team.

Thinking About Threats

Cyber threats are increasing in size and sophistication, and new threats, attack models, and phishing methods are constantly being introduced, made worse by the surge in WFH users. Experience and instincts may not be useful when making future cybersecurity decisions. In my blog “Mitigating Your Cyber Security Risks,” I stated: “Cyber security must be part of your business strategy, and should not be treated as an add-on or afterthought. There are many pitfalls that will be encountered as you create and implement your cyber security strategy.”

Staff Costs

IT security experts don’t come cheap either. The average annual salary for a cybersecurity job in the U.S. is $112,974 a year and fluctuates based on location and years of experience, according to ZipRecruiter. For example, I live in Arlington VA and the average salary for a cybersecurity professional is $119,709. And despite their high pay, COVID-19 has caused a shortage of cybersecurity talent. (Read more on that in my blog “Cyber Security Experts Becoming Endangered Species“)

Besides the security experts, you will probably have other staff on call when there is an incident. There are also users that may have reported the incident who will be involved with the incident response. Don’t forget to budget for the software updates and patches. Did you budget for all of the above?

Separately, you need to budget for user training, which isn’t a one-time expense. Training for new uses will occur, but existing users should be retrained periodically since about 50% of the security incidents are due to user mistakes, negligence, or malicious behavior.

Incident Response

Incident response (IR) is typically an underestimated budget item. When an enterprise experiences a data breach, a well-planned IR strategy can reduce financial losses. When it comes to IR expenses, you might have to train staff on how to use the software, and there is the cost of the software itself. Without taking into account IR expenses, enterprises can experience greater damage and financial risk.

Resource Replacement

The replacement costs associated with vulnerable assets are usually underestimated because of a narrow focus on which systems may be impacted by an incident, limiting replacements only to the most vulnerable systems. The growth of WFH users has increased the replacement costs, leaving pre-pandemic estimates useless.

Consultants

Enterprises don’t often budget for third-party vulnerability testing to look for security weaknesses, and similarly, they don’t factor in consultants who can advise on potential cyber threats. Don’t be fooled when IT staff show complete confidence in their security posture. Retaining the same consultant each year on a fixed budget doesn’t mean that the consultant is addressing your new and old security threats. You should have input from different security firms to review the security of sensitive data and who can spot new threats.

Insurance

Many enterprises are beginning to look into cyber insurance. While some might shy away from another expense, no insurance means enterprises may not be able to protect themselves against significant cyberattack-related losses. Applying for cyber insurance can lead to an improved cybersecurity infrastructure, even if you don’t subscribe to the insurance. The cyber insurance underwriting process can help identify cybersecurity gaps, and sometimes, filing those gaps and improving your existing security environment might mean you don’t need insurance.

Cloud Security Services

If you are not a large enterprise or you have limited IT security staff, you should investigate Security as a Service, which can be provided by an MSP or go directly to the cloud provider. This is a continuous process that can significantly reduce your security staff labor. Cloud cybersecurity spending may be underestimated or poorly managed, so watch out. Business units may initiate testing or development in cloud environments, without proper controls and spend their budgets on security.

The WFH move compels IT organizations to initiate fast solutions for problems that were unanticipated in their 2020 budgets. However, it’s very likely that security investments will not cover many of the new threats, especially for the WFH user and customer.